The Six Core Dimensions of Comprehensive Technical Due Diligence

Digital tech startups are very attractive to investors and venture capitalists (VCs) because they usually promise high returns on investment due to their high-growth profiles and scalability. In general, digital technologies are a central component in the business model of most startups today. To be as competitive as possible, technology-driven startups rely on web or mobile apps, Artificial Intelligence (AI) or Blockchain as part of their value proposition or along their value chain.

Anyone investing in a digital tech startup—or also in an established company—should carefully examine whether the digital technology being developed or deployed by a startup can keep up with its business ambitions and growth scenarios. For example, just because an app's user interface looks fancy and modern doesn't mean that the underlying technology is fit for purpose or has been properly deployed.

To minimize the risk of bad investments and the associated losses, systematic evaluation of the technology developed or used by a startup is essential before any investment is made. Validating whether it is capable to deliver on its promises is thus a key challenge for investors and VCs.

The process of reviewing, validating and evaluating the technology developed or deployed by a company for investment purposes is described by the term Technical Due Diligence (Tech DD)—also known as Software Due Diligence. The following text explains the six core dimensions of a comprehensive Technical Due Diligence review for digital tech startups and their developed and deployed technologies. The six dimensions are:

1. Quality
2. Scalability
3. Security
4. Agility
5. Maintainability
6. Resilience

Quality

The quality assessment of a digital technology application or a software application can be divided into two areas: the quality of the user interfaces (UIs) and the quality of the code.

The assessment of the quality of the UIs is not reliant upon specific software engineering expertise, but can be performed by anyone with an understanding of the customer needs and journey. The following questions help to assess the UI:

• How easy and intuitive is the application to use?
• How simple is the navigation and how intuitive are the functionalities?
• How contemporary and modern is the UI design?
• How does it feel to use the application?
• What happens if I use the application incorrectly?

Code quality assessment, on the other hand, requires deep IT expertise and experience in software engineering. Questions like the following should be answered.

• How efficient are the computing processes and algorithms? The more efficiently a computer program runs, the less processing power and memory it requires. Which leads to lower operating costs for servers and/or lower system requirements.
• How is error handling? Errors and bugs occur in software development as sure as day follows night. Errors can be caused, for example, by incorrect operation or edge cases that have not been taken into account. A good application can handle them without total failure. Errors should also always be logged in order to fix their cause in the future.
• Does the code meet best practices and state-of-the-art technology standards? Did the developers choose the right technology for their application problem and did they apply that technology correctly?

Scalability

A startup does not have to build a software application from scratch that works for millions of users. It is much more important to have a modular and scalable architecture that s as the number of users grows without having to rebuild the application from scratch. In cloud applications, for example, we talk about horizontal scalability.

A startup does not have to build a software application from scratch that works for millions of users. It is much more important to design a modular and scalable architecture that is capable to expand as the number of users grows without having to rebuild the application from scratch. In cloud applications, for example, we talk about horizontal scalability.

The effort required for customer onboarding is another point that should be considered with regard to scalability. For example, does the application require complex manual installations and configurations (e.g., of servers or databases), which become a bottleneck as the number of customers grows? What can possibly be automated?

Security

In line with a company's success, its visibility and thus the likelihood of hacker attacks increases. If a company loses the trust of its customers because it is unable to keep their data safe, this has a direct and very detrimental impact on the company's value. In the worst case, additional financial damage can occur if attackers succeed in sabotaging the company's ability to continue its operations (e.g., encryption of the database by ransomware).

Important security standards are neglected, especially in the case of startups that want to launch their product on the market as quickly as possible. The topic of security should therefore receive sufficient attention at the latest during the Tech DD. The following questions should at least be clarified:

• Which standard is used for authentication and is this standard applied correctly (e.g. OAuth 2.0, OpenID)?
• Are application secrets kept secure (e.g. database passwords or API keys)?
• Does the source code not contain any information worth protecting (in the case of open source projects) or is access restricted?
• How vulnerable is the software application to attacks (e.g. ransomware or DDoS attacks)?
• What third-party solutions and libraries are used and do they potentially have security vulnerabilities?

Agility

Customer needs can and will change. Circumstances can and will change. Thus, the requirements for a software solution and/or the digital technologies used by the startup will change. The agility of a company has two dimensions in the Tech DD context: First, technical extendability and second, organizational flexibility.

To ensure technical extendability, the architecture of the software and technology solution must be modular (see also maintainability). Ideally, parts of the software application can be substituted at any time without risk of failure, or new parts can be added effortlessly. If small changes to the code cause a multitude of new bugs and errors, then technical extensibility is not or hardly guaranteed.

Organizational flexibility refers primarily to the development and innovation processes. A good measure of this is, for example, release cycles (frequency with which new functionality is released). Many startups state that they work according to Lean Startup approaches and with agile methods such as Scrum or Kanban. This enables them to react quickly to changes, at least in theory. However, in practice, you can always find startups that are rather rigid in this regard or do not effectively apply the agile development methods. Possible questions are:

• How are new features implemented?
• Which team roles exist and how are responsibilities assigned?
• How is development and operations organized (DevOps)?

Maintainability

There is this saying "Software is like a plant": Software grows and must be maintained, otherwise it will grow wild and weed. How the software is written, structured and documented is crucial for its maintainability. One dimension of maintainability is technical extensibility (see agility). The longer the planned lifetime of the software and the fewer experts are available for the subject area, the more important maintainability is. The following questions help to assess the maintainability of a software solution.

• How good is the documentation, especially of interfaces?
• Do the interfaces comply with a certain standard?
• Are automated tests available (unit and integration tests)?
• Have design principles and generally established structure patterns been applied (e.g. Separation of Concerns)?
• Are several developers able to maintain the software solution or lies all the know-how with one/few person(s)?

Resilience

Resilience refers to the ability of software solutions to react robustly to disruptions and problems, such as failures of individual components, and to continue to provide a functioning system for the user or to do so as quickly as possible. A resilient system theoretically never reaches the state of total failure. The characteristics of a resilient system include high resistance, robust functionality, fast recoverability of the database or of partial functions. When assessing resilience, the following questions arise:

• Are subcomponents of the software solution redundant (e.g., multiple instances/pods of individual micro services)?
• Is the availability of the software solution automatically monitored and are faulty or crashed components automatically restarted?
• Is the database backed up regularly and automatically?
• Can previous states of the application be easily restored in the event of a failure (e.g. rollback deployments)?

Conclusion

The six dimensions of technical due diligence presented (quality, scalability, security, agility, maintainability, resilience) allow the technologies developed or deployed by a digital tech startup to be examined holistically for investment purposes. The questions relevant to each dimension are outlined, but not fully elaborated. However, they serve as a good starting point for a tech DD. The six dimensions can, of course, also be used to examine an established company and its digital technology, whereby the topic of legacy applications and software modernisation deserves additional attention.